ARP Spoofing
A local-network attack that sends falsified ARP messages to link the attacker's MAC address to a legitimate device's IP, enabling traffic interception.
Also known as: ARP poisoning
Last reviewed: 10 June 2026
Address Resolution Protocol (ARP) is used by devices on the same local network to find each other's hardware (MAC) addresses. ARP spoofing — also called ARP poisoning — floods the network with fake ARP replies that associate the attacker's network card with another device's IP address (often the default gateway). Other devices update their ARP caches with the false mapping and unknowingly send traffic through the attacker.
ARP spoofing is a foundational technique for network-level man-in-the-middle attacks on local networks. It enables eavesdropping, session hijacking, and credential theft on shared wired or wireless networks, including office environments.
Dynamic ARP inspection (DAI) on managed network switches and VPN use on shared networks are effective countermeasures. Segment sensitive systems onto isolated VLANs to limit blast radius.
Examples
- An attacker on an open office Wi-Fi uses ARP poisoning to position themselves between all connected devices and the router, reading all unencrypted traffic.
- An employee's ARP table is poisoned to redirect traffic through an attacker's laptop, enabling credential capture.